Advertisement

Employing Graphical Risk Models to Facilitate Cyber-Risk Monitoring - the WISER Approach

  • Aleš Černivec
  • Gencer Erdogan
  • Alejandra Gonzalez
  • Atle Refsdal
  • Antonio Alvarez Romero
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10744)

Abstract

We present a method for developing machine-readable cyber-risk assessment algorithms based on graphical risk models, along with a framework that can automatically collect the input, execute the algorithms, and present the assessment results to a decision maker. This facilitates continuous monitoring of cyber-risk. The intended users of the method are professionals and practitioners interested in developing new algorithms for a specific organization, system or attack type, such as consultants or dedicated cyber-risk experts in larger organizations. For the assessment results, the intended users are decision makers in charge of countermeasure selection from an overall business perspective.

Keywords

Cyber risk Security Risk modelling Risk assessment Risk monitoring 

Notes

Acknowledgments

This work has been conducted as part of the WISER project (653321) funded by the European Commission within the Horizon 2020 research and innovation programme.

References

  1. 1.
    The ACM Computing Classification System (CCS). https://dl.acm.org/ccs/ccs.cfm. Accessed 3 Nov 2017
  2. 2.
    Atkinson, K.A.: An Introduction to Numerical Analysis. Wiley, New York (1989)zbMATHGoogle Scholar
  3. 3.
    Biener, C., Eling, M., Wirfs, J.H.: Insurability of cyber risk an empirical analysis. Geneva Pap. Risk Insurance Issues Pract. 40(1), 131–158 (2015)CrossRefGoogle Scholar
  4. 4.
    Boehm, B.W.: Software Engineering Economics. Prentice Hall, Upper Saddle River (1981)zbMATHGoogle Scholar
  5. 5.
    Boehm, B.W., Abts, C., Brown, A.W., Chulani, S., Clark, B.K., Horowitz, E., Madachy, R., Reifer, D.J., Steece, B.: Software Cost Estimation with COCOMO II. Prentice Hall, Upper Saddle River (2000)Google Scholar
  6. 6.
    Bohanec, M.: DEXi: program for multi-attribute decision making. User’s Manual v 5.00 IJS DP-11897, DEXi (2015)Google Scholar
  7. 7.
    Bohanec, M., Aprile, G., Costante, M., Foti, M., Trdin, N.: A hierarchical multi-attribute model for bank reputational risk assessment. In: DSS 2.0 - Supporting Decision Making with New Technologies, pp. 92–103. IOS Press (2014)Google Scholar
  8. 8.
    Bohanec, M., Delibašić, B.: Data-mining and expert models for predicting injury risk in ski resorts. In: Delibašić, B., et al. (eds.) ICDSST 2015. LNBIP, vol. 216, pp. 46–60. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-18533-0_5 CrossRefGoogle Scholar
  9. 9.
    Bohanec, M., Žnidaršič, M., Rajkovič, V., Bratko, I., Zupan, B.: DEX methodology: three decades of qualitative multi-attribute modeling. Informatica (Slovenia) 37(1), 49–54 (2013)Google Scholar
  10. 10.
    Bus, J.C.P.: Convergence of Newton-like methods for solving systems of nonlinear equations. Numerische Mathematik 27(3), 271–281 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Chernobai, A.S., Rachev, S.T., Fabozzi, F.J.: Operational Risk: A Guide to Basel II Capital Requirements, Models, and Analysis. Wiley, Hoboken (2007)Google Scholar
  12. 12.
    DEXi: A program for multi-attribute decision making. http://kt.ijs.si/MarkoBohanec/dexi.html. Accessed 19 Oct 2017
  13. 13.
    Erdogan, G., Gonzalez, A., Refsdal, A., Seehusen, F.: A method for developing algorithms for assessing cyber-risk cost. In: Proceedings of the 2017 IEEE International Conference on Software Quality, Reliability, & Security (QRS 2017), pp. 192–199. IEEE (2017)Google Scholar
  14. 14.
    Erdogan, G., Refsdal, A.: A method for developing qualitative security risk assessment algorithms. In: Proceedings of 12th International Conference on Risks and Security of Internet and Systems (CRiSIS 2017). Springer (2017, to appear)Google Scholar
  15. 15.
    International Organization for Standardization: ISO/IEC 27001 - Information technology - Security techniques - Information security management systems - Requirements (2005)Google Scholar
  16. 16.
    International Organization for Standardization: ISO/IEC 27032 - Information technology - Security techniques - Guidelines for cybersecurity (2005)Google Scholar
  17. 17.
    International Organization for Standardization: ISO 31000:2009(E), Risk management - Principles and guidelines (2009)Google Scholar
  18. 18.
    International Organization for Standardization: ISO/IEC 27005:2011(E), Information technology - Security techniques - Information security risk management (2011)Google Scholar
  19. 19.
    Klugman, S.A., Panjer, H.H., Willmot, G.E.: Loss Models: From Data to Decisions. Wiley, New York (2012)zbMATHGoogle Scholar
  20. 20.
    Le, A., Chen, Y., Chai, K.K., Vasenev, A., Montoya, L.: Assessing loss event frequencies of smart grid cyber threats: encoding flexibility into FAIR using Bayesian network approach. In: Hu, J., Leung, V.C.M., Yang, K., Zhang, Y., Gao, J., Yang, S. (eds.) Smart Grid Inspired Future Technologies. LNICST, vol. 175, pp. 43–51. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-47729-9_5 CrossRefGoogle Scholar
  21. 21.
    Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis: The CORAS Approach. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-12323-8 CrossRefzbMATHGoogle Scholar
  22. 22.
    McNeil, A.J., Frey, R., Embrechts, P.: Quantitative Risk Management: Concepts, Techniques and Tools. Princeton University Press, Princeton (2015)zbMATHGoogle Scholar
  23. 23.
    Common Attack Pattern Enumeration and Classification (CAPEC). https://capec.mitre.org/. Accessed 18 Oct 2017
  24. 24.
    Mittnik, S., Starobinskaya, I.: Modeling dependencies in operational risk with hybrid Bayesian networks. Methodol. Comput. Appl. Probab. 12(3), 379–390 (2010)MathSciNetCrossRefGoogle Scholar
  25. 25.
    Neil, M., Fenton, N., Tailor, M.: Using Bayesian networks to model expected and unexpected operational losses. Risk Anal. 25(4), 963–972 (2005)CrossRefGoogle Scholar
  26. 26.
    Solve Systems of Nonlinear Equations. https://cran.r-project.org/web/packages/nleqslv/nleqslv.pdf. Accessed 19 Oct 2017
  27. 27.
    Omerčević, D., Zupančič, M., Bohanec, M., Kastelic, T.: Intelligent response to highway traffic situations and road incidents. In: Proceedings of the Transport Research Arena Europe 2008 (TRA 2008), pp. 21–24 (2008)Google Scholar
  28. 28.
    The Open Web Application Security Project. www.owasp.org. Accessed 18 Oct 2017
  29. 29.
    OWASP Zed Attack Proxy Project. https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project. Accessed 2 Nov 2017
  30. 30.
    Poolsappasit, N., Dewri, R., Ray, I.: Dynamic security risk management using Bayesian attack graphs. IEEE Trans. Dependable Secure Comput. 9(1), 61–74 (2012)CrossRefGoogle Scholar
  31. 31.
    Refsdal, A., Erdogan, G., Aprile, G., Poidomani, S., Colgiago, R., Gonzalez, A., Alvarez, A., González, S., Arce, C.H., Lombardi, P., Mannella, R.: D3.4 - cyber risk modelling language and guidelines, final version. Technical report D3.4, WISER (2017)Google Scholar
  32. 32.
    Refsdal, A., Solhaug, B., Stølen, K.: Cyber-Risk Management. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-23570-7 CrossRefGoogle Scholar
  33. 33.
    Refsdal, A., Stølen, K.: Employing key indicators to provide a dynamic risk picture with a notion of confidence. In: Ferrari, E., Li, N., Bertino, E., Karabulut, Y. (eds.) IFIPTM 2009. IAICT, vol. 300, pp. 215–233. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-02056-8_14 CrossRefGoogle Scholar
  34. 34.
    The R Project for Statistical Computing. https://www.r-project.org. Accessed 19 Oct 2017
  35. 35.
    Solhaug, B., Stølen, K.: The CORAS language - why it is designed the way it is. In: Proceedings of the 11th International Conference on Structural Safety & Reliability (ICOSSAR 2013), pp. 3155–3162. Taylor and Francis (2013)Google Scholar
  36. 36.
    Černivec, A., Alvarez, A., González, S., Arce, C.H., Žitnik, A., Plestenjak, R., Biasibetti, A.L.: D4.2 - WISER Monitoring Infrastructure. Technical report D4.2, WISER (2016)Google Scholar
  37. 37.
    Velasquez, M., Hester, P.T.: An analysis of multi-criteria decision making methods. Int. J. Oper. Res. 10(2), 56–66 (2013)MathSciNetGoogle Scholar
  38. 38.
    Web Application Attack and Audit Framework. http://w3af.org/. Accessed 2 Nov 2017
  39. 39.
    Wide-Impact cyber SEcurity Risk framework (WISER). https://www.cyberwiser.eu/. Accessed 16 Oct 2017

Copyright information

© Springer International Publishing AG 2018

Authors and Affiliations

  • Aleš Černivec
    • 1
  • Gencer Erdogan
    • 2
  • Alejandra Gonzalez
    • 3
  • Atle Refsdal
    • 2
  • Antonio Alvarez Romero
    • 4
  1. 1.XLAB ResearchLjubljanaSlovenia
  2. 2.SINTEF DigitalOsloNorway
  3. 3.AONMilanItaly
  4. 4.ATOSSevillaSpain

Personalised recommendations